Posted
by
timothy
on Tuesday July 29, 2014 @10:07AM
from the fool-me-42-times-won't-get-fooled-again dept.

redletterdave (2493036) writes "Sharron Laverne Parrish Jr., 24, allegedly scammed Apple not once, but 42 times, cheating the company out of more than $300,000 — and his scam was breathtakingly simple. According to a Secret Service criminal complaint, Parrish allegedly visited Apple Stores and tried to buy products with four different debit cards, which were all closed by his respective financial institutions. When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits, which is normally provided by credit card issuers to create a record of the credit or debit override. But that's the problem with this system: as long as the number of digits is correct, the override code itself doesn't matter."

No, no one ever contacted the bank. Apple's Point of Sale software was configured to accept any number based on length() of the number string. They held the number until the end of the day or some other convenient time, when they'd process it with the banks. That was stupid, and the scam is common. Retailers are starting to learn to call and verify immediately (before clearing tge transaction), not to wait until the end of the day.

Are you sure about that??? I highly doubt. The software can be from anyone (or merchant). I don't think banks supply POS software. I believe the only thing that bank supply is the validation between the bank and retailers/corporations.

I understand the long-running and much-honored Slashdot tradition of not reading TFA, but couldn't you at least have read The Fucking Summary?

When his debit card was inevitably declined by the Apple Store, he would protest and offer to call his bank — except, he wasn't really calling his bank. So he would allegedly offer the Apple Store employees a fake authorization code with a certain number of digits....

There was ample dumbshittery (and liability) to assign here, but it's all on the Apple Store drones. No bank involved.

Other than mentioning that the store declined the debit card (which is by definition an interaction between the POS and the credit/debit clearinghouse).

But since you've raised the issue, you've shown exactly where you missed the boat.

The exploit is completely OUTSIDE of the POS<->bank interaction. (Cuz, "debit refused"). The exploit occurs in the "call a fake bank, offer up a fake reference number, have the Apple Store drones accept it as proof of a valid credit/debit transaction" phase AFTER the machine-to-machine part.

Apparenly, you've fallen for the same trick the Apple Store drones did: fixating on the machine-to-machine debit transaction (which failed as expected) and completely neglecting the social engineering that followed.

Hell, at the retail outlet I used to work at, manager made a blanket policy that if the POS returned a request for an Auth code we just outright declined the transaction, handed the customer an Experian business card and asked if they had another form of payment. If the customer asked if he could call his bank to get an Auth code (Red Flag) we would say that our business system did not allow for manual authorizations (which was true. The system the manager put in place didn't allow for ManAuths, even if the POS did).

It's not a security code, it's a reference number. The transaction isn't formally authorised by the bank until the end of the day when they receive that reference number and tally it with the corresponding phone call from the retailer. *Then* the transaction is authorised. (Assuming said phone call included verbal authorisation of the transaction.)

That the Apple Store didn't know this is how the system works means it was completely open to abuse.

The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/Mastercard and all the myriad banks that work with them have a vested interest in making credit/debit card purchases VERY EASY.
Visa wakes up, takes a dump, then wipes its ass with $300,000 dollars. It is nothing compared to the billions they make in clearing fees alone.
Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions. Secure override codes... Who cares?

Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards.
Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security.
But you are correct that making customers spend an extra 30 secs digging out their ID and having some clerk eyeball it and hand it back is not easy and in fact that 30 secs times all the legitimate transactions is more costly than the RARE case of credit card fraud that could be prevented by asking for ID (which is easily circumvented).
The problem here is not the authorization code but that Apple didn't follow the proper procedure of contacting the bank for an override code themselves. There is no need for a secure override code.

Visa/MC and the banks have security measures in place, merchants who follow the process aren't liable for loss from fraudulent cards. Asking for ID provides no additional protection to merchants and to the extent they rely on it instead of established Visa/MC processes it can lessen security.

The info on the ID is the security measures Visa/MC have in place. They allow a merchant to enter info like address or phone number, and their computers will tell the merchant whether or not it matches the address/phone they have on file for that card. When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card. Yeah you can ask the customer to recite their address, but any burglar who stole the card from a house or mugger who got their victim's entire wallet would know the address. A photo ID with that info, while fairly easy to fake, requires a bit more effort on the part of the thief.

Credit card security is in the dismal state it's currently in because Visa/MC/Amex have successfully transferred all the damage from fraudulent transactions onto the merchants. Since they lose practically no money to fraud, they have very little incentive to improve security. (The exorbitant interest rates are to cover the cost of credit card holders who default on their debt.) For market forces to work correctly, financial penalties for risks which fail must be linked to financial profits when those same risks succeed. What Visa et al have done is decouple the penalties from the profits (profits go to them, penalties to the merchant), leading to a situation where they are not penalized when the risks they take (poor security) fail. Consequently there is no motivation for them to improve credit card security beyond the laughable state it's currently in.

When you pay for gas with a credit card and the pump asks you to punch in your zip code, it's not collecting marketing information. It's using the zip code as a (rather flimsy) security measure to protect against someone buying gas with a lost/stolen credit card

Sometimes. Other times, it's explicitly used for marketing purposes, and has nothing to do with card security. Gas at the pump is usually security, but any time a cashier is involved it's usually marketing.

The truth is that credit card interest is the highest profit gig in the whole world. Because of this, Visa/MasterCard

Visa/MasterCard make $0 off of interest. They charge a fee for the convenience of not having to use cash. They're not in the "loaning money" business at all, and of course TFS talks about debit cards, not credit cards.

Vendors are not even allowed to do things like require an ID, (I know they do, but it is against the vendor agreement), even though it would make purchases a lot more secure, because EASY trumps everything, EASY makes billions.

Easy is what the customers want. For normal fraud with actual credit cards (nothing to do with this story, of course), it's the merchant who eats the fraud for ID theft. But merchants sign up for that, because they'll have less business if they're inconvenient for their customers.

The way it's supposed to work is that the store calls the issuer and requests an override code, and then keys it in themself. The bank can then tally the auth code against the store's call at the end of the day and process the charge. I have never seen a situation where the customer calls up the bank themselves.

The store doesn't call the card issuer for approval. The store calls their merchant bank that provided them with card processing facilities. The merchant bank then calls the card issuer to seek approval for the transaction. The merchant bank do not source the phone number of the issuing bank from the card, they use a lookup table provided my Visa or Mastercard.

I used to work at The Apple Store. And that's really the way it should work. However, from my time there, we had credit cards declined all of the time. The Apple Store is a huge place for fraudulent purchases and credit cards routinely auto-blocked access when purchases were for Apple and outside of typical purchases. We actually had the VP of BOEING's Business credit card declined. The standard procedure was to have the customer call the bank, validate that they were them, and that they indeed DID want to make the purchase. After about a minute, we could re-run the card and it'd work.

Now, when the payment device asked for an Override code, it was the job of the EMPLOYEE to got to the back and call up the bank. We're provided special numbers to call and special codes we have to type in. It's a horribly clunky and long process which everyone hated to do, but that was it. So, this is completely the employee's fault - albeit it's really a training issue and the blame rests with Apple. I can totally see why an employee would

#1) Not want to go through that process when they need to get to the next sale

#2) Possibly be new and not completely understand the process

#3) Be susceptible to some clever social engineering - ie: There are some cases where the customer must call the bank. I need an override code from the bank to process this. The customer is calling the bank, so that means I don't have to!

So it's a big f-up, but I can totally understand how and why it happened.

It's not a unique security code - it's a TRACKING NUMBER. This whole part of the process is designed specifically to work around an issue where the computer records might be incorrect or the computer system is in error and an actual human has to issue an authorization code.

The actual fault in the system is that the Apple Employees let Sharron make the call and GIVE them the number. Instead THEY should've called Chase directly and gotten the code.

Well, maybe, but maybe the fault lies with the criminal, they printed credit cards that looked and felt real enough to fool a store clerk who handles them every day, what are the odds that clerk called the bank with the phone number on the back of the card? I have worked in retail, the check/credit card fraud was amazingly simple back then and still they got away with it, the rule of more secure less convenient does come into play but Apple understands this, each sales person is also a 'register' and the t

The store doesn't call the number on the back of the card - the store calls their own merchant bank.

This was just straightforward grift (a con game), not some glaring flaw in the banking system. The sales clerks got suckered, perhaps due to lack of training by Apple, or perhaps the con-man was just that good.

Oh, blame the lobbyist? Is your "Free Market" soul hurt? This is a process by the Credit Card companies and the Banks. Lobbyists have next to nothing to do with it. Apple screwed up by not contacting the bank themselves. Apple screwed up by allowing a bully customer to steamroller them. Most companies don't even allow their employees to do this process because doing so says you're absolutely sure you've followed the process, and will accept the charges. It's typically only done on big ticket purchases were

2. The MERCHANT is supposed to call the bank to obtain manual authorisation

3. The bank actually performs the transaction against the backend, reserves the funds and issues an auth code to the merchant. This auth code is a reference number. A pretty large financial switch supplier I used to work with would use the local time (HHMMSS) as an auth number. Nothing wrong with that, transaction has already been authed online via the call centre.

4. The merchant enters a manual transaction on the POS device, entering the auth number on the POS device to form part of the transaction.

5. The POS does not send anything at this point in time to the bank. Remember, in obtaining the auth number, the transaction was already submitted and approved. The POS keeps this transaction in storage with the auth number

6. End of day, the POS submits all transactions to the bank. This is called Banking the POS or settlement.

7. Since all online transactions has been performed, these settlement records acts as a reconciliation. At this point the customer's bank account gets debited and the merchant only gets settled for the settlement transactions that were submitted to the bank, not for the online autos. If this settlement transaction does not match exactly with the original auth, the merchant does not get settled for this transaction. (It is slightly more complicated than this, since floor limits allows for the case where there was no original auth and the settlement tran is the only message seen, but for the amount of an Apple Store purchase, this would not come into play)

So the system is relatively secure, but the MERCHANT should have called the bank, not the customer, that is where it broke down. This system also allows for floor limits, where the merchant is willing to accept a certain level of risk and the POS device approves transactions for an amount less than a set limit. At the end of the day the POS device submits these transactions to the bank and if the cardholder does not have sufficient funds, the merchant loses out.

All these protocols have been in place for many years and dates from a time where communication between the POS and the bank was relatively expensive and slow. Dialling up for every transactions was not an option, so you would try to batch them together to achieve a lower cost per transaction.

This is a very high level explanation of the issues involved here, but should convey the general ideas.

500 bucks plus the lives of three Foxconn employees, the services of one street-cleaning crew and a large, counterfeit bottle of [Chinese-knockoff] Simple Green all-purpose cleaner (not quite as effective as the real thing but still more than adequate for getting reasonably fresh bloodstains off of sidewalks).;)

Nobody questions their quality, just their price for performance. Apple has always sold lower performance hardware at a premium over other kinds of systems. But they have a totally different business model and they sell the Apple branded way of doing things to users who don't mind paying for it.

I will point out that Apple's quality has not been as stellar of late, they ARE slipping somewhat, but they are still better than your average company. So, I suppose there are SOME folks who complain about Apple's quality so I must revise my statement.

Most of the technology and electronics are pretty much the same, but the case, screen, keyboard, trackpad, speakers, etc - all the stuff that you directly interact with, tend to be much superior. Often even compared to a comparably-priced PC. Whether or not that is worth the price premium is entirely a personal question.

I've worked with Apple gear since 1984, and have worked for 3 Apple VARs. I've only seen 3 power supplies go bad in what, 25 years? Sounds like you need to run some kind of power conditioner / UPS to prevent the strain on your power supplies.

I've been buying computers since I was a kid saving up for a 386DX33. The most I've ever spent on a computer was maybe a quarter of that sum. This further confirms, to me, that Apple gear is immensely overpriced.

Nice job picking out the only quote in the entire thing that suggests Macs are more expensive. You can buy a PC for less than Dell or anyone else charges too if you buy the components yourself. If you actually read the article (instead of deliberately taking out one quote that runs counter to the rest of it) you'll see that between the comparisons they did, the Mac is equal to one system and $200 less than the other. When the components were priced out separately to build a Mac Pro clone, you could save a w

A 6-core mac pro plus an apple thunderbolt display plus a high end macbook pro for when you are on the road could get to that kind of money pretty easilly without looking too suspiscious (assuming you look rich)

The scam works better with a large purchase. Banks routinely deny transaction over some amount, forcing the retailer to call for an override code. Apparently the denial for "bad account" look identical to the one for "valid account, but that amount is high so give us a call, okay?"

If his card was denied for a $500 purchase, he'd need to convince the retailer that it was a bug in the system, not just a routine check for a large purchase.

Surely they don't have all those in the store? Remember this guy had to walk out with hardware in hand because by COB they would figure out they'd been had, so making any special orders would be a no-go option. No, I'm sure he had to buy "in stock" stuff from the store.

Once upon a time, the retailer would have to take the blame for this because it is the retailer who is supposed to make the call to the financial institution on the retailer's own phone line, not using the cardholder's phone or trusting the cardholder's ability to dial the number.

Unfortunately, the retailers are successfully using the police to cover for the incompetence of their staff.

Fraud is fraud. They aren't going after the banks, just arresting the actual criminal.

This scam is nothing new. I fell for it once 20 years ago when I was 18. The customer told me I needed to use the number printed on the card to get an authorization code. Being 18 and not knowing any better, that's what I did. Everything seemed legit during the phone call, I punched it in to the card system, and the scammer walked away with a very nice laptop.

Given that the claim is they defrauded Apple my guess is the bank told Apple they were going to eat the charge for not following procedures. Apple called the police because they've been defrauded.

Because Genius here used his own name in the transaction it becomes rather trivial for the police to put the guy in prison. Here's a secret, the easiest way to get the police involved in some crime is to make it incredibly easy for them to investigate and get a conviction, particularly with some victim that will dr

Based on TFA this scam has been done before to other retailers. When a merchant receives a "decline" they can optionally call the bankcard processor to obtain a verbal authorization code. The merchant can then "force" the sale to go through using the authorization code they received over the phone. The two huge procedural holes that Apple (and the other retailers) left open are:

1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.

2: At my store a manager override is required to "force" a bankcard approval. So even if the clerk makes the call and gets a voice approval code a manager/owner must also provide a password to allow the approval to go through. Apparently Apple has no such security check in place and clerks tan type a manual code into the POS system to force the sale to go through.

Amazingly simple scam, but also amazingly simple to prevent if the stores involved had even rudimentary procedures in place.

> 1: The clerk is the one that should be calling for an approval code, and the call is made not to the cardholder's bank but rather to the bank that processes the cards for the retail store. It doesn't matter what the customer's bank says (or in this case the fake bank) since the approval/authorization code must come from the retailer's bankcard processor.

Read again, the clerk should be calling the store's bank, not the customer's bank.

Both times I've done it, though, I used my phone to look up the generic number for the credit card company. Don't blindly trust anyone* and use their number on their card. God only knows where that's actually going.

A simple work around is to alter the phone number on the card to a number you control.

Then the retailer could call the number receive the code from your accomplice and provide a valid false code.

The retailer doesn't call the number on the card, the retailer call's the merchant service center. For example, customer has a Chase Mastercard and when Apple tries to post a transaction the card receives a decline. Apple would never call Chase, but instead calls their provider (which at my store is First Data Merchant Services). Apple's provider in turn electronically contacts Chase and then provides an approval code back to the clerk. The customer (or scammer) never has an opportunity to change the phone number unless they physically get behind the checkout counter and overwrite the numbers that are posted for the retail clerks to use. So it doesn't matter what phone number is on the card, that number is for the customer's use and not for the merchant's use.

I worked retail for a long time, including an Apple Store. I cannot remember the policies at Apple when I was working there, but most places will not take a verbal approval code.

If the person on the other end of the phone (generally you get to them by calling the 800 number on the back of the card) has the ability to run the transaction, they have the ability to clear whatever prevented the card from going through the first time. They would have to - they have to clear the hurdle before they can run the transaction themselves.

So policy at most places is that the telephone operator clears the issue (usually it is a daily spending limit that card issuers never mention) and then the store runs the card again. There was no procedure for manually entering a verbal approval code.

My memory of Apple Retail (this was '04-'06), however, is that they had almost every contingency covered. The POS machines all had USB modems attached so that in case the Internet went down at the store, credit cards could still be processed. We even had the old CH-CHUNK imprint devices when everything went pear-shaped. I do seem to remember having the ability to enter a manual authorization code for a credit card transaction. It is Apple Retail - there are supposed to be no hurdles keeping a Specialist from keeping a customer happy.

So they weren't calling the bank, but obviously they were calling someone. Did the store employee actually speak with someone, or did he manage to fake the call entirely? Presumably he had an accomplice who was pretending to be the bank. Did they track down and arrest that person? I didn't see it in the article.

That Apple even accepts this is ludicrous. Just tell the guy, "Look, we have a whole store full of this shit. It will be here tomorrow. Or the next day. Or the day after that. Come back when you clear your crap up with your bank, and THEN pay for it."

"The participants were first asked about their wealth, schooling, social background, religious persuasions and attitudes to money in an attempt to establish their perceived social class."

Interesting experiment. The methodology is broken.

Because of the possibility that dishonest people will lie about their own income and social status the conclusion that wealthy people are more dishonest is unfounded. According to the description of the experimental methods, subjects categorized as "wealthy" in the study would have included both the genuinely wealthy and the non-wealthy liars. That is, the study misidentifies poor liars as wealthy liars. And with some de

lowlife as he may be, running this still took some moxy and guile. he could easily fit in with a sales team somewhere (pharma perhaps?). he might need to lower his ethical standards a bit, but that's something they teach on the job methinks.

The credit card issuers do have some security in place - they confirm the identity of the card-holder with various questions. However, in this case, the credit card company weren't contacted and were obviously unable to confirm or deny the card-holder's identity.

I walked in once... and couldn't figure out how to buy something so I left !

Seriously? So I'm to assume you didn't speak English because every time I've been in an Apple store I've been approached multiple times with "How can I help you?" questions from the staff. I'm sure if I said "I'd like to buy an iPad" they'd know what to do with my credit card..

As others have said, there is a system to check this - the vendor calls the bank in question and gets an authorization code for the transaction. However, by allowing the scammer to "call his bank" and provide them with an "authorization code" rather than doing it themselves the Apple store employees left themselves wide open to being exploited.